Skip to content

It's Time to Optimize Your SOX Compliance Program

Published
May 22, 2024
Share

This insightful webinar and panel discussion explores the latest trends, regulations, and best practices in SOX compliance. Participants will receive practical insights and actionable strategies to navigate the complex landscape of Internal Controls over Financial Reporting (ICFR) and SOX compliance in the current year (2024) and beyond.

This session is designed for internal auditors, finance, accounting, IT compliance, and SOX program leaders who are looking to stay ahead of the curve in the dynamic landscape of compliance.


Transcript

Jerry Ravi:Thanks, Bella. Welcome, everyone. Good morning, good afternoon, good evening, wherever you are. Thank you so much for joining. This is an extremely exciting topic for us. I know when we talk about compliance, it may not sound exciting, but it is for us. Just by way of background, again, my name Jerry Ravi. I'm a partner within the Risk and Compliance Services area at the firm. I've been at EisnerAmper for 20 years. When we go back to Sarbanes-Oxley, it's been in place. In fact, GU, who's with us today, and Marty, who I've been working with for quite a long time, we're even joking about it, 20 years and that's actually almost the anniversary of SOX. Been doing it for quite a long time, focus on a lot of value add areas within risk and compliance, including technology enablement, and you'll hear a little bit about that today.

Putting on an IT audit cloth or a hat within the IT audit area within internal audit focused on finance, accounting and technology and bringing value and embracing and extracting value out of controls every step of the way. That's the goal for me today. Again, I wanted to make sure that I introduced or at least allowed the others to introduce themselves, so Marty West, you go first.

Martin West:Thanks, Jerry, appreciate it. Hi, I'm Marty West. I am a Director in the Risk and Compliance Services. Like Jerry said, I haven't been here as long as Jerry, but pretty close. I've been with the firm for about 19 years and I would say the first five or six years I was in an external audit capacity and then I made the jump over into risk and controls and I've been doing that since. It's been a nice ride and it's been great to see the profession evolve over the years and I look forward to sharing some of my experience with the group today. GU?

GA:Thank you very much, Marty. Thank you very much, Jerry. My name is GA. I'm a Senior Manager here at EisnerAmper in the IT Risk Data Privacy and Security department. I work closely with both Jerry and Marty on all SOX related engagements. My experience involves a lot of both internal and external audits, as well as the role that we're having here in the sense of a advisor to all our clients that are looking for SOX compliance help and assistance in the compliance realm. Happy to be here and happy to talk about these topics that we have here. Very exciting and once again, congratulations, Jerry, 20 years.

Jerry Ravi:I would be remiss I didn't mention that even within the roles that we all play, you heard Marty say he was on the external audit side, I was as well. I know GU has been within the company side on the internal audit side. We're going to come at it from a lot of different perspectives today. Our objective is really to de-mystify a little bit what's the current landscape and the challenges that we're having. I know a lot of the folks that are on the attendee list, you may be going through SOX today as it's a new endeavor for you. You may have been doing it for 20 years just like I have. Maybe it's coming at some point as well, or maybe it's just fresh, maybe you've been doing it for a year or two. The key considerations will be applicable to all of you and that's why we wanted to highlight a couple of these in terms of strategies to optimize how do you extract value inside SOX compliance.

There are some new regulations that have come out including on cyber. We wanted to mention that because we do think it relates back, always relates back to controls, and I think it's a great framework to use and talk about best practices to modernize, create that efficiencies and create strategic value as you mature within your SOX program. We've seen that along the way. PCAOB puts out requirements, regulations, the SEC, and obviously, external audit focus, that's going to be another key area for us and that helps us optimize. We'll position you with some information and takeaways to think about as you listen in today.

Then, we want to talk about technology solutions. everybody knows about AI. AI is certainly going to come into play when it comes to detailed manual efforts that we have and even analytics. I think it's important for us to understand how technology's going to play a part in SOX compliance as well, including an update on IT controls, which GU needs to go through. I'll give you a little bit of future outlook and emerging trends that we're seeing with a lot of our clients.

Me, personally, I've been through probably 350 to 400 SOX compliance programs over that 20 years, so I've seen it all. I've seen it evolve at the same time, so I wanted to share that insight, and I know Marty and GU have also done the same in terms of what they're seeing and hearing in the last year or two during COVID, prior to that, and over the last 10-plus years. Ask questions. I know we have a packed agenda today, but ask questions in the Q&A feature. Feel free to throw something in as a thumbs up or something that you like. If for some reason we're not able to get to your question, we'll certainly follow-up and there's a little bit of a follow-up at the end as well, so you can see what other content we're putting out.

We're going to go to our second polling question. In terms of this question, hopefully you're able to see it. I don't see Bella, but ultimately, what I'm trying to glean from this is what role do you play? Again, if you're not doing SOX today, but you still have an impact, you may have your external auditors looking at controls because in essence that can be more efficient within that audit approach. It's a possibility that that's happening. Just because you're private and not public and it doesn't require you to go through actual SOX, you're still looking at internal controls over financial reporting in some way, so I think it's still relevant, and each of these roles plays a big part in moving it forward from a effort, from a resource standpoint, a top-down approach, et cetera. Everybody that you see on this screen is playing a part in SOX compliance and optimizing it.

Jerry Ravi:Great. Excellent. We have a good mix across the board. Not surprised, the highest percentage is around accounting and finance. It's really where it starts and there's a lot of support functions beyond that within compliance, internal audit, obviously even external audit. Board and audit committee clearly will play an oversight role within SOX. Thank you for that.

I want to take you through evolution of SOX compliance, current landscape and some challenges that we're dealing with. Ultimately, I think most of you probably know SOX compliance or what it is, so in essence, really, what I wanted to focus on are key components. Not really executive comp and tied to financial performance, what you see that are right, but it's been there for a long time. We know why it's there, but in essence, it's really about the financial transparency and preventing corporate fraud and mismanagement. Ultimately, that financial transparency relates back to controls. Safeguarding investors is really important in making sure that there's order of independence and maintaining integrity. A lot of that played a big part in enacting the regulation and the requirements, and ultimately, it has evolved.

I don't know if you guys could throw a thumbs up, I know there's not a polling question, but how do you feel? Is it actually improving internal controls over financial reporting? Are financial reporting activities now more complete and accurate? Do we feel that way? There's a lot, I know I'm biased, I've helped clients do this, so in essence, I do feel like there's better governance, there's better and there are more efficiencies gained through this new reg and through the new internal controls over financial reporting. That's a big plus. Again, 20-plus years later, here we are.

I added in a couple bullets here that I wanted to focus on, historical development. This was in response to the accounting scandals. Okay, we understand that. Has it improved financial reporting? Do we think it has? Again, I feel that it has over time and it takes time, and I want you to understand that when it comes to optimization, this is not just a one-time thing. This is a journey, this is a continuous process. We help our clients when we go through optimization. It's part of our planning and scoping for every single year when we reengage. It needs to be because there are changes that occur. Current landscape here, are we being results-driven? Are we being value-added? Do we have a value-added approach? Is that top of mind? Are we actually using our risk-based approach the appropriate way? Using it with the integrated audit approach with the external auditors is really important.

Future trends, where we see it going. Basically, greater digitization of your process. Technology playing a bigger part. Increased focused on some cybersecurity controls and regulatory alignment. You see ESG coming into the fold here as well. How do we optimize using the same framework? I see this in the life sciences area where you can use a similar approach to controls over FDA compliance and other areas, even in the healthcare space for HIPAA or high trust. It's not just about SOX and it's not a checkbox exercise the way it was many years ago, so you have to think differently for it to be optimized in the future.

You may know the concept of 404A and 404B. I think this is a bigger area of focus for us. What I wanted to make sure that I mentioned is, the reason why is the PCAOB, the regulators for the external auditors and just assertions in general in terms of how we're going to look at this in attestation. If you're required to go through 404B, the external auditors have to opine on your control environment. It requires a little more of a heavier lift, so you need to be mindful of, what's going on in that world? What are the key hot topics? We're going to go through that today. If you're 404A, you still have the responsibility as management to establish and maintain and assess those internal controls and you have to do your 302 certifications. Clearly, it's still important, but 404B requires you to do a little bit more, in some cases, a lot more depending on if there are a lot of changes in that particular year, and a lot more collaboration with external audit. I want to mention this because I think it's a key component to optimization. A.

Some of the difficulties that we're seeing, some of the things that you see at the bottom are really the most important. You go public or you've been public for a long time, now your company business lines are tested with this rigor, if you will, so there needs to be some training and adoption almost similar to what we do with cybersecurity these days. It's a perpetual state of training and understanding that controls are important. Controls need to address the right risks, which is why risk assessment is really important. We are a little resistant to change. It's one of the reasons why technology hasn't come into the fold as much as we would like to see, but we think that's going to be accelerated in the future. Again, we'll talk to you a little bit about that today.

The company's attempting to force compliance using an old and efficient method, more manual-intensive documentation that we need to gather is really important. How do we do that? Can we streamline that? Can we standardize that and even optimize it with technology? We got to take those manual resources that we have or those resources that we have and making sure that our time is not wasted. Minutes do matter, and ultimately, we want to make sure that we're using those minutes and that time in a valuable way.

Then, you have audit-related weaknesses that can occur. Really important. We have to make sure those resources are not constrained and we're not just going and dusting it off from last year and then doing the same as last year. Why is this important? Again, if it's a construct of any optimization exercise, this is the first thing that we would do. Most important piece in any SOX compliance program is risk assessment. It's really going to drive where you're going to focus your resources, your attention, where even if you're using an outside provider, like EisnerAmper, our team, where we're going to focus our attention. Whether we're co-sourced or fully outsourced, in essence, that's going to create an effective program right from the beginning, and that needs to be done ongoing basis, because changes are happening in the business.

It's very important to make sure you're properly evaluating your risks over financial reporting, and that's a process. Again, that doesn't just create a check-the-box exercise. It's a process that you talk through, that you brainstorm with others in the organization. You talk about how you're going to mitigate these risks and how you want to do it effectively and efficiently to reduce exposure and strengthen the compliance framework itself.

We talk a lot about what we call D&I, design and implementation. What you see at the top and to the right, really important. Designing effective controls to mitigate those risks that you actually looked at and established and tried to make sure that you're addressing in the SOX program. Do you have the proper design and controls? That relates back to documentation, people, their capabilities, all factors that, again, you consider it in a risk assessment. Are these controls implemented? That's the I in the D&I. How do we know that they're implemented? Will they sustain the test of time, monthly, quarterly, even daily? Is this the right way to do this? In essence, D&I is a real important piece of the program. We have to spend the right amount of time there and then as we monitor, and that's where the testing occurs, over effectiveness, what are we doing to make sure we're streamlining that? Now, I'm bringing this up because you're going to hear from Marty and GU about effective ways to look at all three of these areas. That's really important to consider as you look at design, implementation and monitoring and reporting.

Regulatory changes. I want to mention this briefly. There are a lot of things that are happening from the SEC, as well as even some of the states. What you see to the left, we have cybersecurity-related disclosures and procedures that are being put out there by public companies that we have to respond to incidents as well, and we have to be effective at doing that. You can create a framework that's similar, but we have to understand what the SEC is looking for. In essence, that may even go back to the external auditor requirement that they may be looking at it at some point and they have climate-related disclosures and the like. The states are also looking at different things, whether it's climate or cyber. A lot of them have already adopted cybersecurity, if not all of them, but they keep adjusting it.

We just have to understand how that plays a part, because there are some controls in SOX, particularly on the IT side, that can address some of these cybersecurity-related procedures and requirements. You see to the right, there's a couple of updates coming out from the IAA that I wanted to emphasize, especially as it relates to performance management and how you're really operating as an internal audit department. This is really important because that, again, plays a part in what you see with COSO as well, which is the prevailing framework that we've been using for SOX for quite some time.

Adapting to regulatory change. This is one of the struggles that I see with clients that I wanted to mention. You want to stay informed, first and foremost. We keep our clients informed of some regulatory changes including audit committee, but at the end of the day, how do we want to make sure if this has an impact to SOX compliance requirements, what do we do? Let's be proactive, and then we can start implementing compliance adjustments, very similar type themes that you can gain from a risk and control standpoint, risk and control major seeds or a risk assessment. Use that same methodology and framework because what we're used to, and that's what we've been optimizing. Then, conducting regulatory impact analysis along the way, I think that's important. You see the theme here is risk, so understanding, adapting, and then looking at the right risks along the way. That's extremely important as we shift to an optimization stage as you mature.

Now, we're at polling question number three, and I'm going to ask, I'm going to transition over to Marty West for this next section, so please take the time to answer this question and we'll address some of the Q&A as well that's come out.

GU:This is always an interesting topic, when it comes to the different challenges for SOX? I think we try to list out the more common themes that we see, but it's always good to identify which one could be the biggest one for you.

Martin West:Yeah, I was going to say we're definitely missing the all of the above option on this one.

Jerry Ravi:That was done on purpose. What's the one that's causing you the biggest challenge or the most pain? I will say most of the time what we're trying to do is give our clients peace of mind over that pain. I will tell you, it's in every single one of these buckets. I would imagine, if it was all of the above, you'd probably pick all of the above, but what's the one that's giving you the biggest challenge?

GU:Looks like the results are almost in, so can't wait to see the results.

Martin West:Okay, great. Thank you. It looks like it's pretty spread out. Like we said, resource constraints is number one, too much manual effort. Then, actually third, applying automation in the control environment. That's actually an excellent way to start to optimize and start to work against your resource constraints and reducing manual efforts. That third one, applying automation, could be complementary to the others. That's a great kickoff as we start to talk about optimization considerations for your role, your environment, and what you're seeing.

First off, just want to kick optimization off with what does it mean. The simple definition to optimize is making the best or most effective use of. But taking a step back, right off the bat, everybody always takes optimization is reducing number of controls and that's first and foremost, but there's a lot of different ways you can approach optimization and look at it in many ways.

First off, we want to think about what can be optimized. From an optimization standpoint, it isn't just controls, it could be almost anything and everything. It could be number of controls, but it can also be how long it takes to execute those controls or other areas for that nature. How do we get started? A key thing here is to just focus on a single area and set goals. It's easy to try and boil the ocean and just do everything all at once and say you're going to optimize, but think you're going to optimize an entire program all at once? But really, looking at a key area and moving from process to process is super helpful in really dialing in, especially when you get into goal setting and also assessing the current state seeing where you currently stand and where do you want to get to.

What should we ask? We say why, why, why? That's really the driver here. Why are we doing things? We'll speak to that in a little bit too. I know when we think about controls and maybe there's too many controls, we want to scale back on controls. You have to think, if we have too many controls, why do we have these controls and why are we still doing them? Is there a better way? Where should we look when we optimize? This gets back to those three buckets, people, process and technology. We'll talk about that more later on as well, but that's a good way of thinking about the different activities, where they stand and how you can address them. Lastly, how do we move forward? When we think about optimization, it's all about accountability, ownership, and also measuring progress, because without measurement, it's hard to understand or really gauge the goals you set and how you start to achieve those goals.

From an organizational standpoint, who can be involved? Really, the point of this slide is just to show that everybody's involved, there's something for everyone here. Whether you think of it as the overall enterprise risk management program, you have your internal auditors and your external auditors, they're both involved. When you think about them, them working in collaboration and working together, that's a great, great way to work on optimizing your program. Your process and control owners, they have a huge stake in the process. Information technology as well and the IT control set, over these 20 years we've come a really far away with technology. No longer is it just the simple IT general controls and just trying to square those away, identify our systems and call it a day. There's so much overlap between the business side of the house and the IT side of the house that everybody needs to be working together in tandem in order to fully understand a process.

When we get into the PCAOB rules and the results of their reviews and some of the output and the audit focus areas, it shows how important that collaboration between the business process side and the IT side really is. Then you also have your audit committee, your board of directors, and your senior leadership as well. What are the key focus areas for the organization? What's keeping them up at night? That all makes its way into the program as well and where we decide to focus and put our attention.

Now, here's just some examples that we have. We have two sides of the coin. The left side is some symptoms where we're not optimized in some areas where we have issues. Then, on the right side is some of those benefits of optimizing the organization. Some of the symptoms can include difficulty locating data or having the right data. Missed deadlines because things take too long. Dissatisfied stakeholders, inconsistencies or variation in the process, and then difficulty in planning and measuring success. That can include a lot of your budgeting and forecasting activities and things of that nature.

But on the flip side, by working to optimize your program, you can start to see benefits such as cost reduction, improved efficiency, as well as improved controlled compliance and increase competitive advantage for your organization against other competitors that are maybe less optimized. Enhanced quality and consistency of your program, and then performance monitoring and accountability over your program.

Flipping to the next slide, this is just an area of opportunities. Now, when we look at these buckets, I look at these going back to those three areas of people, process and technology. These are the ways that you can look at these and you can tell your approach. When we look at something like inventory monitoring, financial statement close, fixed assets, these are your standard accounting close areas. Then also process redesign, enhanced forecasting and efficiency reviews. Those are really grounded in process. What is our process? What does it look like? Are we doing too much? Can we do things faster or quicker? Those are some areas from a process standpoint.

From your payroll and HR benefits and your employee training, these really fall more under your people category. Are we putting people in the correct roles that match their skillsets at best utilize their time and their skills to do the job, the best of their availability and most efficiently? As well as employee training. Employee training will also help you increase efficiency and it can also reduce deficiencies in your control environment as well by having all your stakeholders and your control owners understand the process and avoid some deficiencies and findings and things of that nature.

Lastly, it's the technology aspect. I have those two buckets. Your system selection, system implementation optimization, as well as data optimization. Not just having clean data, but also having the right data. Using the right systems, making sure that the systems that you utilize, you're using them to the max of their capacity and that you're plugging them into your controls program and flipping a lot of those manual controls into more automated controls where you can see a lot more benefits, where you see, I would say from an audit standpoint, you can test more with less and you get into application controls and focusing on test one instead of doing these massive samples. But you can also, you reduce the risk of manual error simply by automating a system and testing the system in that way.

Now, with that said, let's jump into some of the PCAOB regulations. Like Jerry mentioned earlier, the PCAOB is the governing body over the public accounting firms. The public accounting firms, the PCAOB, they don't govern the organizations or the companies, they govern the firms. However, how they review and how they establish the rules over those firms, that ultimately makes its way down to the organization and we end up all reacting to it. They cover areas such as audit planning, risk assessment, audit evidence. They're ensuring consistency, quality and transparency through the audit practice. Over here, we have some key focus areas. Big focus areas have been user access reviews, information produced by the entity and application programming interfaces. I'll get into these in a little bit as I break down the most recent results from the PCAOB's inspections.

This comes out over the summer. These metrics are from the PCAOB's report published in July 2023 over their inspections over the firms in 2022. The report mentioned that audits with deficiencies rose for a second year in a row to 40% in 2022. Audit deficiencies rose in '22, non-compliance with PCAOB standards and rules rose in 2022. But on top of that, they did mention on the positive side that audit firms can learn from adopting good practices. This just shows that the deficiencies are continuing to rise year-over-year and that the PCAOB has continued to crack down on the audit firms and it's been a trend these past few years. Once we get into the audit focus areas, we'll see what this impact and effect has had on the industry as it relates to controls.

But before we get there, how can you best be prepared for regulatory change? By having accurate, up-to-date dashboards and reporting, that's a good way. By having good dashboards and up-to-date reporting, technology is a great driver for that using many of the tools that are out there that always helps you gather your data and report out your data timely and keep a good view of your environment. Use of audit tools, whether there's a bunch of audit tools on the SOX side, one of which is near and dear to us is Workiva, we utilize them a lot in how we do our audit testing and how we interface with our external auditors. You also have Audit Board out there as well who's in a similar space. Then, on the accounting close, there's also tools like FloQast and Blackline, which help you manage and streamline your accounting close, which has a lot of controls around sign-off and review activities which help the company in their documentation and evidencing of their program.

Then, really, just using an agile approach too and just being open to changing on-the-fly and evolving, because this isn't a one-stop, set-in-stone kind of deal like how Jerry mentioned earlier, how this is always evolving and it always gets back to that risk assessment and taking a fresh look each year and trying to understand what does the controls mean for you now. It's not a set it and forget it. If that's the case, things get stale really fast and you can also end up having way too many controls. If you add a couple of controls every single year and you never take that fresh look, you're going to have a massive program and it's really not needed.

Getting back to the PCAOB, here's three of the major focus areas that have been coming out of their inspections. First off, the auditors did not sufficiently evaluate whether controls were the review element selected for testing operated at a level of precision sufficient to prevent or detect material misstatement. This is your classic review control findings. This has been a huge focus for the audits and really, what it is, it comes down to your audit documentation and how do you drive your review procedures. I saw half of you in the audience are in accounting and finance, this is a good takeaway. When you're doing your reviews, you need to make sure that you're properly documenting and laying out how you're doing your review. Jerry said, it's been 20 years since this started and we've gotten pretty far away from the old days of having initials and a date and calling it a day and having that count as a review.

Now, it's gone the other way, and they're really driving home on not just, did somebody review it, but what did they do? What did they look at? Not just what did they look at, what levels? What dollar amounts did they look at? What did they focus on? Really being able to re-perform and understand what the reviewer did. That's a huge focus and that's something with the majority of my clients where I've seen that come up a lot and we've had to put a lot of time and effort into making sure controls are designed appropriately to make sure it hits on all those key items.

Second is that the engagement team did not perform procedures to test the accuracy and completeness of information produced by the company. This is getting back to that overlap between the business process and the IT side like I was mentioning earlier. It's super important that the teams work together and everybody understands where your information is coming from, what key systems there are, and that they're getting the right data from their systems, because a lot of times, it's been coming up that maybe work was done, but it was done over a report that wasn't sufficiently vetted and it was leading to findings and deficiencies. This has come up a bunch in the PCAOB's reviews of the audit firms.

Lastly, auditors didn't test controls that were important to the conclusions about whether the control is sufficiently addressed, assessed risk of misstatement to each relevant assertion. This gets back to the risk assessment, just how important that risk assessment is. We'll talk about that in the next slide, but really, that drives the majority of the program and what's important and where we should really be placing our focus and spend most of our time.

Working those key focus areas into our program, here are some ways to drive a successful program. Right out the gate, it's proper planning and having alignment with key stakeholders. Those key stakeholders can be the audit committee, the board, all your control owners. It also includes internal auditors, it includes your external auditors, making sure everybody's on the same page, everybody understands what the program is for the year and how we want to push ahead. As part of that planning, the risk assessment is super important, that you're laying out the plan for the year. When we think about SOX, a lot of it's based in ICFR and controls over financial reporting, so we're starting with our financial statements, looking at a materiality driving risk rankings based on the dollar amounts, but also those other qualitative and quantitative factors.

We're really making sure that we're not just doing the risk assessment, but that we're also sharing that with the external auditors to make sure they're on board because the last thing we want to see is that we start executing on a plan and we get to the middle or the back end of the year and the external auditors were expecting something completely different, and now we're reacting to a change in scope versus us all being on the same page at the beginning of the year.

In doing that risk assessment, that's a great place to do a controls refresh. I mentioned before, every single year you could be adding controls, especially if you have deficiencies or findings. Anytime there's a deficiency or a finding, the reaction is, "All right, let's just add a control. Let's add a control, let's put something new in just to cover off on that." If you're adding controls every single year, you can end up having a massive program, so each year in the beginning of the year, you want to take a look at that at your controls program and think, are these truly the right controls? You really want to take those controls back to your risks, understand what the key risks are for the organization, map those controls back to the key risks, and you'd be surprised at how many controls you find where there's duplicative controls against core key risks, and you could be able to de-key a lot of those controls because they're duplicative and redundant, and you can reduce both the amount of effort, as well as potential expense in the audit by reducing that number of key controls.

Another way to optimize, and I touched on this earlier, was the automation of controls. How many times do you go in? I see this on my walkthroughs all the time where I'm sitting in a walkthrough as internal audit and the process owners showing me their procedure and how they're coming up with say, a workbook that they do once a month, and they're telling me it literally takes two days for them to prepare the workbook. That's 16 hours, and if they're doing that monthly, that's 12 months a year. You see all that manual work, that could be one of those areas where you say, "Hey, how can we either automate this control with better systems?" Or maybe we start looking at solution such as robotics, process automation, RPA, things of that nature, where maybe we can use a digital worker and help strip out some of that manual effort and then re-purpose those individuals to do more of the review side of the work and not focus as much on the preparations so their time is more value-added.

Then, lastly is just ongoing communication and collaboration. Similar to how we want to plan and align with all our key stakeholders at the beginning, you want to make sure you have open communication throughout your entire engagement, staying on the same page with the external auditors, internal auditors, management, having everybody speaking the same language. Really, it does wonders for your program and just keeps everybody on the same page, and the biggest thing there is that it helps you avoid surprises. I'll kick it over to Jerry to touch on some audit trail and documentation.

Jerry Ravi:Yeah, I'll go through this fairly quickly. Thank you, Marty. I know we have a couple of questions here that I do want to address and one of them relates to, and this is actually a great point by someone internal to the firm who's high-level and executive around our audit methodology, our external audit methodology, so I appreciate the question and the point. When we talk about audit trail and documentation, even on the left-hand side, documentation is a big deal. This is where programs can get really just stale, just inefficient. How is that documentation coming together? Management review controls are really important and precision levels are very important and Marty mentioned that. How you document that and how you actually dot those Is and cross those Ts are going to be important to testing the effectiveness of that control, so just make sure that when you have controls with a lot of judgment, and that was really the point, yeah, management and review controls with a lot of judgment, you may want to replace those with your process level controls that are a little more prescriptive and you can actually test those with more efficiency.

I think, when you talk about a controls refresh as well, again, doing that every year is really important. Looking at those controls, is this the best way to do it? Is this causing us angst even on the assurance side? Are the auditors asking more questions in this particular area, which heightens the risk? It's just being able to focus that journey on particular areas where you're going to gain efficiencies, and then having that single source of truth is important. That's where technology like Workiva comes into play. We've been a partner with Workiva since 2017. We think it's a great tool. It's done wonders for our SOX programs in essence making us more efficient, but it is a place where we go where that's housed. You can have that in a Blackline tool as well, which could have a connector, so you can get a little more quality and actually have deeper insights when you're able to do that, and then it relates back to even transability in terms of being able to trace it back and having that tracking mechanism and not having to look for it.

There's the duplication of effort that always causes angst. That was another question that was asked about dissatisfied stakeholders. Dissatisfied stakeholders, including your auditors or management, they're dissatisfied because they're having to do things more than once. They're being asked the question more than once. They're being asked for the documentation more than once. Well, one key aspect of creating optimization is having the external audit team members and the internal team members, that'd be us or management together, doing those walkthroughs together, asking questions, talking about the risks, so that way you're not doing it another time.

That's an easy way to do this or an easier way to gain some optimization, but ultimately, you're still dealing with the single source of truth, you're still dealing with the same documentation, not going to multiple places for it. That takes some time and that's on a journey as well, so you have to really do that in planning and scoping, but actually have a continuous process to evaluate, is it working? We've taken the burden off our clients by having that program really adopt a model where we're doing it together and it's fully integrated, so that helps quite a bit.

In terms of training and awareness. I won't go through each and every bucket, but in essence, this is going to allow you to really, the bottom bucket to me is the most important, foster a culture of compliance. Where we have issues with high cost of compliance is when you have a lack of coordination. Again, even going back to the previous comment about integration, we have to be coordinated, we have to be moving in the right direction, so that's really important to make sure you continue to have training and awareness. How many people on this call have continued to have training and awareness over SOX programs? Did you just do it once in that first year maybe when you went public and you never did it again? I actually feel like the team feels like it's something that we should be doing every year, at least as a refresher, so that people know where we're headed and what they need to be looking for, so that's important.

Then, you have preparing for your external audits and compliance reviews, understanding what the auditor is going to be looking at. GU's going to talk a little bit about third-party assessments and the use of third parties, and that's a big change. A lot of companies are using third parties for a lot of different things, mostly technology providers. What are we doing to make sure that we're evaluating that properly? That's going to actually create more efficiencies around the assurance process for management when they look at their own controls, including the external auditors and allows for better performance.

Then, continuous monitoring and testing is a big subject. I think we've been talking about this, although for a while, I think we're here where we could do some more real time monitoring in particular areas like user access. It's not something where you can look at point in time. We could actually have testing strategies where we're looking at controls on a continuous basis, again, through technology as well, and actually have that be documented, so the external auditors could see how can we actually sample even if the technology did select a sample for us. Continuous control assessments and monitoring are going to be something that you see coming forward to drive efficiency. That's another big area as we build towards optimization. We are going to go to polling question number four, and at this point, I'm going to kick it over to GU as well. Are you utilizing technology solution to enhance your SOX program today?

GA:That's also a big question always, isn't it? When it comes to technology solutions? I think a lot of people always wonder, which way should I go? What's the best one? Not everybody was born knowing which technology solution or use. This is kind of in a way to-

Jerry Ravi:As people are jumping in, and GU, I was going to say. Yeah, there was one question as we're waiting for everybody to jump in with this polling question number four, another point that was made, which I think is really important when we talk about documentation, and we mentioned it quite a bit. It seems to be the norm and has been for quite a while that you can actually flowchart with a slight narrative, a summary narrative that in effect allows everyone, including the process owners, to see the control in a more effective manner and to flow through it in a more effective manner, so I think flow charting with a summary narrative attached is really important. It's a lot better than, I call it the older days, but a narrative that used to be 20 pages long, it's very difficult to point out the key nuances that address the risks within those narratives. Thank you, again, for the comment.

GA:Particularly in the revenue generation processes, I think that's where the flow charting just is very important.

Martin West:Especially as it relates to underlying systems and mapping because the biggest trip up I see with a lot of my clients is having new databases or new tools or other systems that seem complementary or behind the scenes come into scope late in the year because we didn't properly map it out in the beginning of the year and identify all the things up front. That's another thing that key them up.

GA:Absolutely. Totally agree with that. It makes total sense. I think it seems like it's pretty evenly distributed when it comes to the way everybody's answering these questions. I guess, yes, there's a third, and I guess a third doesn't feel like a tool is needed, and a third is actually utilizing the tool. It's fairly even breakdown, and I guess this is a perfect time to move over to the technology enhancements and focus areas for SOX compliance. This is one of my favorite subjects when it comes to SOX because in many ways SOX is viewed as something that is more bureaucratic or took 20 years to get here, old approaches to how we look at evidence, how we keep track of our narratives, flow charts, all our design documentation controls and everything. Like the third that might not be using a tool, they might be going through something like version control issues and has someone updated something from previous years.

Those are some of the things that I think the old SOX programs have consistent as a attribute, and I think the newer programs, as everybody's here to learn, I guess the optimization process of it is very important here to mention. Our first point here is the IT general controls optimization and agile approach is something that we've noticed that works very well. The second piece is just finding your software or your way of how you're going to manage evidence and how you're going to manage your workspace and your testing. The last two are very related to automation of your SOX work using different tools, as well as the different vendor relationships, and a question that the SEC and the PCAOB have been asking a lot more, the cybersecurity. These are the four focus areas that we have noticed in the IT side and anyone who doesn't like efficiency and doesn't like process improvement, close your eyes, close your ears, this is not for you.

But since everybody's here to actually learn about these items, our next slide is the Agile approach. This is something that we're trying to get into the Agile approach to SOX. This is something that I think is very important when it comes to just understanding how to optimize your SOX program. From one side, you have a new approach with different tools. From another side, you have a way to utilize your SOX program within a software that can help you streamline your processes, and in many ways, less is more. Avoiding processes, manual processes, processes that could actually be automated or some job that could do it for you is more reliable when it comes to different auditors.

The next slide here is generally, we're very agnostic when it comes to tools, but something that I think we have an advantage of working with Workiva is that we actually can trust our vendor. This is something that we've developed within our partnership with Workiva. This is something that everybody can offer you. Not everybody can offer you different auditing tools and actually tell you, "We trust these guys, we work them very well. We can give you the opportunity to get the most out of this tool." This is something that Workiva offers, different integrated flows for testing, it's very intuitive, it's very powerful, it has different modules that you can use and pulling all your data, one-stop shop for any auditing stuff.

It's very useful and if you come to us and say, "Hey, we don't know which tool we want to use," and another tool works for you or give you an unbiased opinion, but again, utilizing that trust factor and the opportunity to utilize the most of what you can from a tool is something that we usually advise. In that sense, this is the features that we really like. You have real-time features when it comes to your testing. You can create reports, you know who is doing what, when, and something has been completed. There's comments, there's dashboards. If you're going to audit committee and you're struggling to put in your slides together, this is a place to quickly take out all your, you can even generate your part-on-part out of it, so you might not even have to do anything.

As Workiva is also a vendor, and by the way, SOX 1 and SOX 2 is something that we're focused on different vendors, Workiva wouldn't be the one that would fall under this kind of scope. When it comes to SOX, you really have to make sure that all your vendors that actually touch any of their financial reporting pieces. You have your NetSuites, and you have your Workdays, and you have Concur and all these other applications, it's very important to revamp the way you look at them because right now, everything is being outsourced to third-party SaaS companies and it's the way to go. They have embedded tools and embedded processes that can help you optimize your SOX program without having these additional manual processes and have workflows that can help the approval process and document everything and lock it down. Now, all of that is very nice as a feature, but we really want to make sure that everything that the contract offers is exactly what you want, as well as we want to make sure you can trust the vendors.

This is a very big piece as the external auditors are very honed in on who are not only the external vendors you have, what are the third-party vendors to these external vendors that help you the sub-service, the so-called sub-service organizations that help this vendor achieve the overall objective. What are their controls? These are the kind of things that more and more organizations from the big four and generally CPA companies they're looking into. The external admin reviews is something that we don't really see often happen, but I think that's very important for everyone to be able to do.

We always have external admins for these tools. Everybody trips up when they're like, "Well, it's part of their SOX report," or something like that. Well, not necessarily, because they're part of your environment and you really have to make sure you understand what their role is and what are they really doing for you, and that goes back to the insurance of contract relevancy and transparency. The last piece is you might need stuff from them very quickly, so try to build a positive relationship with them right from the beginning. Put a clause in your contract that we have to meet once a month. It won't cost you anything, but if you have questions and if you have SOX needs, it's always nice to have them on speed dial. The ones that have been more successful are those that actually are able to do that.

Overall, the first poll talked about resource constraints to manual processes. Applying automation, external vendors can help you do those things and they can relatively help you with a very robust cost and they can really right-size their offerings to what you really need. Just follow this guidance for the relationship that you would have with them and just make sure that you select the right tools. Apart from that, the last two slides, and I want to quickly glance over them, is the different cyber security regulations. These cyber security regulations are something that the SEC is very honing on. They implemented that for all the public companies, now they're doing it for all the funds. If you really want to know more about the topic of the new cybersecurity regulations, me and Jerry Ravi have been able to post a video on this, so take a look there. I'm not going to cover that as much here, but we have a two serious video that will cover the different best practices when it comes to cybersecurity and fund regulations.

The last piece is just give you a little taste of what the best practices are for cybersecurity. It's a hot topic these days, and I think cybersecurity is something that is only going to grow from the regulatory point of view, and it's time to layer cybersecurity into your SOX program. Before, it was just a cyber inquiry, maybe for 30 minutes. Now, it's something that's going to be its own set, its own domain, and you really have to get ready to address those. In this specific scenario, we have IT practices. We talk about policies, we talk about different internally developed design documentation.

We talk about planning. No report is good if you don't practice, if you don't take it and really assign roles and go through different items to make sure that each department knows what to do. In case of a cybersecurity incident, you really want everyone to move very fast. If nobody knows what they're supposed to do, by the time you get to the incident, it might be too late. You'll be disclosing the newly required SEC items to your stakeholders. You can avoid that by using some of the external tools and external software, external service providers that can help you with that task.

On that note, I believe that we can jump to our last polling question. This is something that we really wanted to know at the end of this program. Would you consider discussing benchmark implementing SOX optimization activities that we've discussed here? We have very simple three answers for you to close it out. While we're doing this, I wanted to see if Marty and Jerry wanted to have some closing remarks.

Jerry Ravi:Yeah, Marty, why don't you go first and then I'll jump in to take it towards the end.

Martin West:Yeah, for sure. No, this was great. I think there's a lot going on out there, there's a lot changing in the environment, and a lot of things we're ultimately reacting to, whether it's PCAOB rules and things like that or just trying to right-size things through number of controls or through AI and RPA and all this digital disruption. It was great to be able to touch on some of that, and if anybody wants to discuss more, they're always welcome to reach out. Jerry?

Jerry Ravi:Yeah, thanks for that, Marty. I think, ultimately, just gauging where you're at in the program and where you're headed is really important. I know on the next slide, I'll just go through some conclusion, remarks, future outlook. I'll give you some information as well in terms of what's next. We're planning as a firm and even as a risk compliance group as more of a public company campaign to push out more topics quarterly as well, so wanted to make sure you were aware of that. I think we can close the poll out at this point and we'll close the session in just a minute or two.

Great. Well, it's good to see that even you're more established, I'd like to see that. Ultimately, want to make sure that there's a plan forward, and even if you are established, just continue doing that in terms of continuous improvement, that's really important. Just to give you a couple of key takeaways, you see at the top, the importance of the risk assessment, resource commitment, having a PMO for SOX and even a steering committee, even if you're smaller in nature, you really need that. That's important, and we support our clients as their PMO quite a bit. Automation use of tools, analytics, external audit or collaboration, I think documentation flows into a lot of this because it plays into the importance of risk assessment, commitment, project management, all of the above. Just consider documentation as a key strategy and a key takeaway.

Then, your optimization for SOX compliance, again, continuous improvement, just making sure you're looking at it every time, every year and you start planning, and then ultimately ,you can even do it throughout the year. Preparing for those future regs that we talked about already, I think that's really important.

Top themes, I wanted to just have you stay tuned for these. Ongoing public company SOX optimization updates, you see to the left, there are key themes that are going to come out that we're going to have potentially separate sections on external audit alignment, 404B and 404A. We're going to bring a client or two to talk about this. We have one client that flipped from A to B and then back to A. How do you plan effectively for that? If you've gone through M&A deficiency analysis and how you look at that, automation, capital markets, IPO updates and technology enablement. Potentially quarterly webinars, blogs, articles, and also focused roundtable discussions, if you're interested, happy to host one for you, even exclusively, just let us know. We've done that for many clients. It's extremely helpful as a brainstorming session. What you see to the right are some of the other things that you can find on our website as well. I just wanted to say thank you to everyone. I really appreciate you taking the time today, and we'll hope to see you soon or talk to you soon.

GA:Thank you, everybody. Take care.

Transcribed by Rev.com

 

What's on Your Mind?


Start a conversation with the team

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.